A Chinese-aligned group of cyberespionage has been seen attacking the Central Asian telecommunication sector with malware versions such as ShadowPad or PlugX.
Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name “Moshen Dragon,” with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot).
“PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity,” SentinelOne’s Joey Chen said. These tools are flexible and modular in functionality, as well as compiled using shellcode so that they can be bypassed by traditional endpoint protection. “
ShadowPad is a Chinese-espionage “masterpiece” that was created to replace PlugX. However, other versions of this malware have been appearing in different campaigns associated in Chinese threats actors.
Although known to be deployed by the government-sponsored hacking group dubbed Bronze Atlas (aka APT41, Barium, or Winnti) since at least 2017, an ever-increasing number of other China-linked threat actors have joined the fray.
Earlier this year, Secureworks attributed distinct ShadowPad activity clusters to Chinese nation-state groups that operate in alignment with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People’s Liberation Army (PLA).
The latest findings from SentinelOne dovetails with a previous report from Trellix in late March that revealed a RedFoxtrot attack campaign targeting telecom and defense sectors in South Asia with a new variant of PlugX malware named Talisman.
Moshen Dragon’s TTPs involve the abuse of legitimate antivirus software belonging to BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro to sideload ShadowPad and Talisman on compromised systems by means of a technique called DLL search order hijacking.
In the subsequent step, the hijacked DLL is used to decrypt and load the final ShadowPad or PlugX payload that resides in the same folder as that of the antivirus executable. Persistence is achieved by either creating a scheduled task or a service.
The hijacking of security products notwithstanding, other tactics adopted by the group include the use of known hacking tools and red team scripts to facilitate credential theft, lateral movement and data exfiltration. The initial access vector remains unclear as yet.
” Once they have gained a foothold within an organization, they move laterally by using Impacket in the network, placing passive backdoors into the victim environment and harvesting as many credentials possible to ensure unlimited access. Chen stated that this was Chen’s strategy.